SIP, NAT, and Firewalls

112/04/22 1Information Networking Security and Assurance LabNational Chung Cheng University

Information Networking Security and Assurance LabNational Chung Cheng University 2

Outline

Understanding the problem with SIP and Firewalls Overview of Internet Telephony and Voice over IP

RTP SDP SIP Overview

Internet Firewalls IP Addressing Issues Introduction to Security in SIP Summary Reference

Understanding the problems with SIP and Firewalls

Firewall

Port 5060SIP

Firewall do not know a certain address and emphermal port

Port ?

Understanding the problems with SIP and Firewalls (cont)

SIP, declares where to send media to (IP address / Port number) NOT where it comes from

Now with private IP, the problem is not only what ports to open but also to change its IP addresses in SIP message and telling the firewall about its usage

End-to-end encryption and authentication is impossible in the exchange of addresses

ALG and Real Specific IP

Overview of Internet Telephony and Voice over IP

http://www.cisco.com/warp/public/788/voip/voip-nat-6.gif

Overview of Internet Telephony and Voice over IP (cont)

RTPSDPSIP Overview

Streaming Audio –the Real Time Protocol

In RTP header, the sequence number is used to detect lost and out of order packets

The reason for not supporting retransmissionSolution

To ignore the lost data To extrapolate sound from previous audio samples

to make up the lost onesRTP uses UDP not TCP

Processing and encapsulation

The RTP header

Real Time Control Protocol (RTCP)

RFC 1889The main purpose is to give feedback on the

quality of the delivery of dataRTCP is sent periodicallyRTP -> even port number ; RTCP -> higher

and odd port number

The Session Description Protocol

The three main objectives To tell what kind of media you want to receive To understand how the media to be coded To inform where the addresses and port to be

delivered to Text based

The Structure of SDP

The grammar for SDP is very structured and strict <type>=<value> Only one character in type-field and this character is

in lower case

SDP header fields

Session description v= (protocol version) o= (owner/creator and session identifier). s= (session name) i=* (session information) u=* (URI of description) e=* (email address) p=* (phone number) c=* (connection information - not required if included in all media) b=* (bandwidth information) One or more time descriptions z=* (time zone adjustments) k=* (encryption key) a=* (zero or more session attribute lines) Zero or more media descriptions

Time description t= (time the session is active) r=* (zero or more repeat times)

Media description m= (media name and transport address) i=* (media title) c=* (connection information - optional if included at session-level) b=* (bandwidth information) k=* (encryption key) a=* (zero or more media attribute lines)

* optional item

SDP header fields (cont)

the origin field o=<username> <session id> <version> <network type> <address type> <address>

the connection field c=<network type> <address type> <connection address>

the media field m=<media> <port> <transport> <fmt list>

Payload types (PT) for standard audio and video encodings

SIP Overview

SIP, [RFC2543]Call setup -1

Between two users It’s not mandatory for SIP to use SDP, but it is the

only one defined so far

Setting up a SIP session

Call setup-2 with Routing SIP messages

Call setup-2 (cont)

SIP addresses

SIP addresses, the so-called SIP URLFormat sip:user@hostWe could find SIP URLs in

(1) the Request line, (2) the To field, (3) the From field, (4) the Via field, (5) the Contact filed, (6) the Record-route field, and (7) the Route field.

Examples sip:uabfrth@134.138.228.159

sip:Fredrik.Thernelius@uab.ericsson.se

Transportation protocol for SIP

It’ independent of service of any specific transport protocol

TCP, UDP, ATM AAL5, IPX, frame relay, X.25

SIP Terminology

User Agent User Agent Client (UAC) User Agent Server (UAS)

SIP Server SIP Proxy server SIP Redirect Server

Call leg –to identify a session between two SIP clients Call-ID The From field The To field

SIP message structure

Based on the Augmented Backus-Naur Form (ABNF) [RFC 2234]

Syntax specification “ | ” “ () ” CRLF - the end-of- line indicator, carriage return followed by

line feed “ * ”

Example SIP-message =Request | Response generic-message = start-line *message-header CRLF [ message-

body ]

SIP message structure (cont)

Example start-line = Request-Line | Status-Line message-header = ( general-

Summary of SIP requests

INVITEACKOPTIONSBYECANCELREGISTER

Summary of SIP response codes

Complete list of response codes

Summary of SIP headers

Internet Firewalls

Packet filtering Gateways Stateful Stateless Do not have ability to make changes to content On per interface and per direction

Packet filtering Gateways

Circuit-Level Gateways

Application Level Gateways

It works as proxies similar with circuit level gateway

On other occasions, it runs in cooperation with a firewall performing NAT

Some features Doesn’t support particular service/application It supports TCP and UDP (TFTP) With a NAT, it will examine the application data

IP addressing issues

IPv4IPv6Private Addresses

Static NAT Requires the same number of globally unique IP addresses The same mapping between local addresses and global

addresses Dynamic NAT NAPT Some problems

If a session is not initiated from the inside SIP, put IP addresses and port numbers inside the application

data in the IP packets

Introduction to Security in SIP

Encryption End-to-end between user agents, or hop-by-hop between SIP

entities To work on transport level or the network level Suggested in IPSec Basic rules

All header fields must not be encrypted All header fields that are not encrypted must precede those that are

encrypted An encryption header must be inserted to indicate the encryption

mechanism The responses to encrypted should be encrypted with a key

Encryption

Authentication

Authentication (cont)

Hide Route

Via field encryptionIntermediate proxies encrypts either the entire

Via list or only the top-most entry

Summary

Next issues Implementation of an ALG for SIP RSIP

Integrity of SIP and current network equipments is very interesting

Reference

SIP, NAT, and Firewalls Master’s Thesis By Fredrik Thernelius

http://cui.unige.ch/db-research/Enseignement/analyseinfo/AboutBNF.html

RFC2234

SIP, NAT, and Firewalls

Documents

Firewalls and NAT - net.t-labs.tu-berlin.de · Firewalls...

SIP, NAT, and...

SIP security and the great fun with Firewall /...

Sip Nat Travers Al

COMS W4995-1 COMS W4995-1 Lecture 8. NAT, DHCP & Firewalls.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal...

Schedule NAT/Firewalls and Applications PhD thesis, ENST ...

NAT, firewalls and IPv6 Christian Huitema Architect, Windows...

ANALISIS DE TÉCNICAS PARA ATRAVESAR NAT/FIREWALLS EN...

Firewalls NAT Proxy

SIP? NAT? NOT! Traversing the Firewall for SIP Call...

Running SIP behind NAT Dr. Christian Stredicke, snom ...

1 Firewalls Types of Firewalls Inspection Methods Static...

SIP, NAT, and Firewalls - Columbia University · use...

Proxy Servers, Firewalls, NAT

Firewalls and NAT - inet.tu-berlin.de€¦ · NAT...